rusty_feeder/exchange/upbit/

auth.rs

/*
 * Upbit JWT authentication implementation
 * Provides JWT token generation for private WebSocket and REST API endpoints
 */

use anyhow::{Result, anyhow};
use hmac::Hmac;
use jsonwebtoken::{Algorithm, EncodingKey, Header, encode};
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256, Sha512};
use smartstring::{SmartString, alias::String};
use uuid::Uuid;

/// Type alias for HMAC-SHA256
type HmacSha256 = Hmac<Sha256>;

/// JWT claims for Upbit authentication
#[derive(Debug, Serialize, Deserialize)]
pub struct UpbitJwtClaims {
    /// Access key (API key)
    pub access_key: String,

    /// Nonce - unique identifier for each request
    pub nonce: String,

    /// Query hash for GET/DELETE requests with parameters (optional)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_hash: Option<String>,

    /// Body hash for POST/PUT requests with body (optional)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub body_hash: Option<String>,
}

/// Upbit authentication configuration
#[derive(Debug, Clone)]
pub struct UpbitAuthConfig {
    /// API access key
    pub access_key: String,

    /// API secret key
    pub secret_key: String,
}

impl UpbitAuthConfig {
    /// Create a new authentication configuration
    #[must_use]
    pub const fn new(access_key: String, secret_key: String) -> Self {
        Self {
            access_key,
            secret_key,
        }
    }
}

/// Upbit JWT authentication handler
#[derive(Debug)]
pub struct UpbitAuth {
    /// Authentication configuration
    config: UpbitAuthConfig,
}

impl UpbitAuth {
    /// Create a new authentication handler
    #[must_use]
    pub const fn new(config: UpbitAuthConfig) -> Self {
        Self { config }
    }

    /// Generate JWT token for WebSocket authentication
    ///
    /// # Returns
    /// JWT token String for use in Authorization header
    pub fn generate_websocket_jwt(&self) -> Result<String> {
        // Create claims with nonce
        let claims = UpbitJwtClaims {
            access_key: self.config.access_key.clone(),
            nonce: String::from(Uuid::new_v4().to_string()),
            query_hash: None,
            body_hash: None,
        };

        self.encode_jwt(&claims)
    }

    /// Generate JWT token for REST API GET/DELETE requests
    ///
    /// # Parameters
    /// - `query_params`: Query parameters as key-value pairs (optional)
    ///
    /// # Returns
    /// JWT token String for use in Authorization header
    pub fn generate_rest_jwt_get(&self, query_params: Option<&[(&str, &str)]>) -> Result<String> {
        let mut claims = UpbitJwtClaims {
            access_key: self.config.access_key.clone(),
            nonce: String::from(Uuid::new_v4().to_string()),
            query_hash: None,
            body_hash: None,
        };

        // If query parameters exist, calculate query hash
        if let Some(params) = query_params
            && !params.is_empty()
        {
            let query_string = self.build_sorted_query_string(params);
            let query_hash = self.calculate_sha512_hash(&query_string);
            claims.query_hash = Some(query_hash);
        }

        self.encode_jwt(&claims)
    }

    /// Generate JWT token for REST API POST/PUT requests
    ///
    /// # Parameters
    /// - `body`: JSON request body as String
    ///
    /// # Returns
    /// JWT token String for use in Authorization header
    pub fn generate_rest_jwt_post(&self, body: &str) -> Result<String> {
        let claims = UpbitJwtClaims {
            access_key: self.config.access_key.clone(),
            nonce: String::from(Uuid::new_v4().to_string()),
            query_hash: None,
            body_hash: Some(self.calculate_sha512_hash(body)),
        };

        self.encode_jwt(&claims)
    }

    /// Build sorted query String from parameters
    ///
    /// # Parameters
    /// - `params`: Query parameters as key-value pairs
    ///
    /// # Returns
    /// Sorted query String (e.g., "market=KRW-BTC&state=wait")
    fn build_sorted_query_string(&self, params: &[(&str, &str)]) -> String {
        let mut params_vec: Vec<(&str, &str)> = params.to_vec();
        params_vec.sort_by(|a, b| a.0.cmp(b.0)); // Sort by key alphabetically

        params_vec
            .iter()
            .map(|(k, v)| format!("{k}={v}").into())
            .collect::<Vec<String>>()
            .join("&")
            .into()
    }

    /// Calculate SHA512 hash of a String
    ///
    /// # Parameters
    /// - `data`: String to hash
    ///
    /// # Returns
    /// Hexadecimal representation of the hash
    fn calculate_sha512_hash(&self, data: &str) -> String {
        let mut hasher = Sha512::new();
        hasher.update(data.as_bytes());
        hex::encode(hasher.finalize()).into()
    }

    /// Encode JWT with the given claims
    ///
    /// # Parameters
    /// - `claims`: JWT claims to encode
    ///
    /// # Returns
    /// Encoded JWT token String
    fn encode_jwt(&self, claims: &UpbitJwtClaims) -> Result<String> {
        // Create header with HS256 algorithm
        let header = Header::new(Algorithm::HS256);

        // Create encoding key from secret
        let encoding_key = EncodingKey::from_secret(self.config.secret_key.as_bytes());

        // Encode the JWT
        encode(&header, claims, &encoding_key)
            .map(SmartString::from)
            .map_err(|e| anyhow!("Failed to encode JWT: {}", e))
    }
}

// Migrated to rusty-common WebSocket auth infrastructure
/// Helper function to add JWT authentication to WebSocket connection request
/// Uses rusty-common WebSocket auth system
pub fn add_jwt_to_websocket_request(
    headers: &mut rusty_common::collections::FxHashMap<String, String>,
    jwt_token: &str,
) -> Result<()> {
    // Add Authorization header with Bearer token using rusty-common WebSocket auth
    headers.insert("Authorization".into(), format!("Bearer {jwt_token}").into());

    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_jwt_generation() {
        // Test configuration
        let config = UpbitAuthConfig::new("test_access_key".into(), "test_secret_key".into());

        let auth = UpbitAuth::new(config);

        // Test WebSocket JWT generation
        let ws_jwt = auth.generate_websocket_jwt().unwrap();
        assert!(!ws_jwt.is_empty());

        // Test REST GET JWT generation without params
        let get_jwt = auth.generate_rest_jwt_get(None).unwrap();
        assert!(!get_jwt.is_empty());

        // Test REST GET JWT generation with params
        let params = vec![("market", "KRW-BTC"), ("state", "wait")];
        let get_jwt_with_params = auth.generate_rest_jwt_get(Some(&params)).unwrap();
        assert!(!get_jwt_with_params.is_empty());

        // Test REST POST JWT generation
        let body = r#"{"market":"KRW-BTC","side":"bid","volume":"0.01","price":"20000000","ord_type":"limit"}"#;
        let post_jwt = auth.generate_rest_jwt_post(body).unwrap();
        assert!(!post_jwt.is_empty());
    }

    #[test]
    fn test_query_string_sorting() {
        let config = UpbitAuthConfig::new("test_access_key".into(), "test_secret_key".into());

        let auth = UpbitAuth::new(config);

        // Test query String sorting
        let params = vec![("state", "wait"), ("market", "KRW-BTC"), ("uuids", "uuid1")];
        let sorted = auth.build_sorted_query_string(&params);
        assert_eq!(sorted, "market=KRW-BTC&state=wait&uuids=uuid1");
    }

    #[test]
    fn test_sha512_hash() {
        let config = UpbitAuthConfig::new("test_access_key".into(), "test_secret_key".into());

        let auth = UpbitAuth::new(config);

        // Test SHA512 hash calculation
        let data = "test_data";
        let hash = auth.calculate_sha512_hash(data);

        // SHA512 hash should be 128 characters (64 bytes in hex)
        assert_eq!(hash.len(), 128);

        // Known hash for "test_data"
        let expected_hash = "66f993ac0f65e1a301f4924cc38fc4da1d6ac7c53c3e75e535735788263d97f50a323cec0b033e28a95a4549a5d39a45f85d6f6fb7b02b75e3d5de5e9727a3ea";
        assert_eq!(hash, expected_hash);
    }
}